CVE-2024-33621

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.37

Description A vulnerability in the Linux kernel has been resolved, where a raw packet from a PF PACKET socket on top of an IPv6-backed ipvlan device hits WARN ON ONCE() in sk mc loop() through the sch direct xmit() path. The issue is triggered when the skb->sk is used in ipvlan process v{4,6} outbound. To fix this, it is recommended to call ip{6} local out() with NULL sk in ipvlan as other tunnels.

Recommendations For Linux kernel versions prior to 6.6.37, update to version 6.6.37 or later to resolve the vulnerability. As a temporary workaround, consider disabling the ipvlan process v{4,6} outbound function until a patch is available. Restrict access to the vulnerable ipvlan module to minimize the risk of exploitation. Avoid using the skb->sk variable in the affected code path until the issue is resolved.